Can't restrict access to specified version of wiki page using FineGrainedPermissions

[Ryan J Ollos]

This is either a defect, or I am really misreading the documentation.

After not having any success getting the authz configuration to behave the way I was expecting under Trac 0.11.4, I setup the development environment for 0.11.7dev and did some testing.

The following configuration grants access to all versions of WikiStart, as I would expect,

[wiki:WikiStart]
* = WIKI_VIEW

[wiki:WikiStart@*]
* =

That is, it appears that the first match is used to grant WIKI_VIEW to all versions of WikiStart, which seems to agree with the documentation.

Given that, I would expect the following configuration to grant access to only version 3 of WikiStart (there are 7 versions of WikiStart under this instance of Trac):

[wiki:WikiStart@3]
* = WIKI_VIEW

[wiki:WikiStart@*]
* =

However, with the latter configuration, I can't access any versions of WikiStart when navigating to:

http://localhost:8000/tracdev/wiki/WikiStart?version=3

There is a Forbidden Error with:

WIKI_VIEW privileges are required to perform this operation on WikiStart

I've set the LogLevel to DEBUG and will attach the log output from trying to access the aforementioned URL.

[Ryan Ollos <ryano@…>]

Log from accessing WikiStart@3

[Ryan Ollos <ryano@…>]

When viewing the attached log, please start at line 87 to see the output from refreshing WikiStart?version=3.

I will also upload the authzpolicy.config file from the time the log was created.

Btw, I tried linking to a particular line in the attachment as can be done with files in the repository, but this doesn't seem to work. I tried: attachment:trac.log#L87​. Do I have the syntax wrong, or is the feature not implemented? There is nothing in the documentation TracLinks to imply that this should work, but it seems like it should work since it does for TracLinks with a source: realm.

[Ryan Ollos <ryano@…>]

Authz policy at the time log was created

[Michel Jouvin <jouvin@…>]

BTW, as discussed in the Google group, it'd be nice to be able to specify @HEAD to enable access only to the last version. In this case, the history menu should also be disabled.

Michel

[Christian Boos]

You need to try to reproduce this on trunk, where a number of bugs have been fixed for the AuthzPolicy.

[Michel Jouvin <jouvin@…>]

Hi,

Very late comment. I gave this another try with r9610. authz_policy seems to have had only minor changes since then. For me the problem is still the same : as soon as you add @* for a page, you cannot access any version, even though you put before a section for @n, n being a specific version of the page.

Michel

[anonymous]

I've been testing out fine grained permissions in 0.12.1 and came across this problem. In my case I would prefer not to have any history available on the pages of my project wiki that are made public. So while this is being fixed, it would be great to have a simple notation for allowing access to just the most recent version, something like @HEAD.

[Ryan J Ollos <ryano@…>]

trac/wiki/web_ui.py

@@ -122 +122 @@
         page = WikiPage(self.env, pagename)
         versioned_page = WikiPage(self.env, pagename, version=version)
 
-        req.perm(page.resource).require('WIKI_VIEW')
+        #req.perm(page.resource).require('WIKI_VIEW')
         req.perm(versioned_page.resource).require('WIKI_VIEW')
 
         if version and versioned_page.version != int(version):
@@ -623 +623 @@
                        for each in related]
 
         latest_page = WikiPage(self.env, page.name, version=None)
-        req.perm(latest_page.resource).require('WIKI_VIEW')
+        #req.perm(latest_page.resource).require('WIKI_VIEW')
 
         prev_version = next_version = None
         if version:

I've found that after dropping these two permission checks, I can restrict access to an arbitrary version of a wiki page. The reasons are obvious, but more work needs to be done (and tests written), to understand the consequences of these changes.

[Ryan J Ollos <ryano@…>]

The (probably obvious) point of my previous comment was that after spending half of a day experimenting and testing TracFineGrainedPermissions, I didn't find any issues with the plugin (tracopt.perm.authzpolicy.py), rather the issues were with trac.wiki.web_ui not being coded appropriately to handle fine-grained permissions.

[Ryan J Ollos]

To put a proper fix in place with tests I'll need to utilize [11830] and some forthcoming changesets, in particular some changes that will be committed in #11069. It might be a bit of work to backport it all to 0.12.6, but I'll certainly do that if anyone thinks the fix should be targeted to 0.12.6.

[Ryan J Ollos]

Replying to anonymous:

I've been testing out fine grained permissions in 0.12.1 and came across this problem. In my case I would prefer not to have any history available on the pages of my project wiki that are made public. So while this is being fixed, it would be great to have a simple notation for allowing access to just the most recent version, something like @HEAD.

After spending a little while looking at the code in tags/trac-1.0.1/tracopt/perm/authz_policy.py​, I think it will be feasible to restrict access to the most recent version of the page using a syntax such as @HEAD. I think this should be handled in another ticket though, and is probably more appropriate for a major rather than a minor release. Therefore, I've created #11263.

[Ryan J Ollos]

Proposed changes can be found in log:rjollos.git:t8976.

[Ryan J Ollos]

Committed to 1.0-stable in [12152:12153] and merged to trunk in [12154].